Yfrog confirms that e-mail upload feature “has not been compromised in any way”
posted at 12:00 pm on June 5, 2011 by Ed Morrissey
Those providing on-line services take security very, very seriously, because any hint of vulnerability will have users running to competitors almost instantly in the highly competitive Internet world. When Rep. Anthony Weiner and his defenders began blaming Yfrog for a mysterious tweet on his stream that included a photo of a crotch that Weiner couldn’t say “with certitude” wasn’t his, Yfrog responded by suspending all e-mail uploads until it could fully check security. On Friday, Yfrog announced the results of its investigation:
After confirming that our email upload feature has not been compromised in any way – it is now active again (from 5 pm PST today). We appreciate your patience as we work to assure user safety and security. Please always maintain secure passwords and do not share email secret PINs with anyone. Please contact us at firstname.lastname@example.org with any questions, if you want your PINs changed or disabled.
Yfrog explains further:
At yfrog, we take security very seriously. We monitor all the activity on our site and network 24/7 to make sure we secure our services, especially the photos and videos of our users. Our commitment is to protect our users’ photos and make sure they are never lost, deleted by accident, or compromised in any way.Email Upload Security Explained
The email upload feature was introduced as a convenience for users to send emails with their photos as attachments. The yfrog email PIN is given to the user for the sole purpose of uploading photos only to yfrog. As a private email PIN, it should be treated as confidential information, just like passwords.
To secure further, the user should:
- not share the email PIN with others.
- not include other recipients in the emails sent to yfrog to upload photos.
- not forward to other recipients the emails sent to the email PIN to upload photos to yfrog.Why we Disabled Email Upload
At yfrog, we constantly evaluate our internal security mechanisms across all the facets of our service. Even though our email upload feature has not been compromised or broken into, we are taking this opportunity to evaluate the feature and secure it even further.Security is Important to Us
Yfrog serves millions of users and over 2 billion requests worldwide every day with minimal or no attacks or disruptions. As we grow, we will continue to take every measure possible to secure our services so that our users’ photos and videos are protected.
In other words, one cannot upload photos to Yfrog with just a username, as some had alleged. Nor has Yfrog’s e-mail upload system been hacked or compromised. One might suspect from the quick and categorical conclusion to their probe that they may have some fairly convincing evidence of the origin of Rep. Weiner’s tweet and photo. If Weiner really is interested in getting to the bottom of this, he could ask Yfrog to release that information to the public, or at least send investigators to retrieve it and find the culprits.
Of course, a failure to do either makes it pretty clear that Weiner or someone he granted access to the account uploaded the picture and sent the tweet.